Re: gnome-keyring Obtaining a TGT without unrestricted access to password.
- From: Simo Sorce <simo redhat com>
- To: David Woodhouse <dwmw2 infradead org>
- Cc: Russ Allbery <rra stanford edu>, guido pch mit edu, Günther <agx sigxcpu org>, gnome-keyring-list gnome org, krbdev mit edu, Stef Walter <stefw collabora co uk>
- Subject: Re: gnome-keyring Obtaining a TGT without unrestricted access to password.
- Date: Thu, 16 Jun 2011 11:10:19 -0400
On Thu, 2011-06-16 at 15:49 +0100, David Woodhouse wrote:
> AFAICT most Windows sites *don't* set a policy. They just use the
> standard Windows default of 10-hour/10-day tickets — because it
> really make any significant difference to Windows clients, does it?
They don't really need to because they can obtain a new ticket from
scratch every time you unlock the screensaver (to which you give your
password), which is what we do with sssd as well as the password goes
down the pipe through pam.
So the case where a 10h/10d policy is not enough is extremely rare.
Simo Sorce * Red Hat, Inc * New York
] [Thread Prev